Synology, again!

Help
1

Please fill out the fields below so we can help you better. Note: you must provide your domain name to get help. Domain names for issued certificates are all made public in Certificate Transparency logs (e.g. https://crt.sh/?q=example.com), so withholding your domain name here does not increase secrecy, but only makes it harder for us to provide help.

My domain is: crystobal.net

I ran this command: Inbuilt Synology GUI certificate renew and create new

It produced this output: The operation failed

My web server is (include version): Don’t know, built into DSM

The operating system my web server runs on is (include version): DSM 6.2.1-23824 Update 6 (Latest version)

My hosting provider, if applicable, is: Hosted on Synology with static IP

I can login to a root shell on my machine (yes or no, or I don’t know): Yes, if I have to

I’m using a control panel to manage my site (no, or provide the name and version of the control panel): Synology DSM

The version of my client is (e.g. output of certbot --version or certbot-auto --version if you’re using Certbot): Not using Certbot

I was aware of the change in validation methods with Let’s Encrypt, but as it seemed that Synology had this covered, I was not worried. It seems that I was wrong.
The certificate auto-renewed a few months ago, now it will not.
I have tried to renew, replace, and add, none work.
I have a static IP on a business connection in the UK, the DNS etc. has all been working for years OK with a Let’s Encrypt cert.
It just looks like there is now an issue because of the change in validation methods.
I can access the Synology unit via its ip address or its domain name and ports 80 & 443, though because the certificate is expired 443 does not show as secure.

I don’t really understand Linux and the command line stuff, I can do it at a push, but it takes me a long time. I nearly wiped out the whole thing once, and managed to lock my account so I am a little cautious & very careful now!

I am using the in built Synology DSM to create/renew etc. and until now, no issues.
Anybody able to shed any light please?
Going to try and raise a ticket with Synology, but, in the mean time, our emails are pretty much down because the clients don’t want to connect.

2

Hi @Sidewinder

checking your domain port 80 doesn't answer ( https://check-your-website.server-daten.de/?q=crystobal.net ):

Domainname Http-Status redirect Sec. G
• http://crystobal.net/
213.123.189.13 -14 10.030 T
Timeout - The operation has timed out
• http://www.crystobal.net/
213.123.189.13 -14 10.026 T
Timeout - The operation has timed out
• https://www.crystobal.net/
213.123.189.13 301 https://crystobal.net/ 3.070 N
Certificate error: RemoteCertificateChainErrors
• https://crystobal.net/
213.123.189.13 200 2.090 N
Certificate error: RemoteCertificateChainErrors
• http://crystobal.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
213.123.189.13 -14 10.027 T
Timeout - The operation has timed out
Visible Content:
• http://www.crystobal.net/.well-known/acme-challenge/check-your-website-dot-server-daten-dot-de
213.123.189.13 -14 10.030 T
Timeout - The operation has timed out
Visible Content:

Looks like you have used an old Synology with tls-sni-01 validation, that's not longer supported. So Synology is updated and uses http-01 validation, that requires an open port 80.

But your port 80 is closed -> timeout.

If you are able to use port 80 internal: Check your firewall settings. If it is a home server, check your port forward rules.

Extern port 80 -> intern port 80 is required.

3

Thanks for checking this.
Port 80 is definitely open, the firewall maps it to the webserver running on the Synology, which is running all the latest updates, there is no newer version of Synology DSM that I can use.
I can definitely access the units port 80 via an independent network in the UK, but, you saying that you can’t does give me a clue that I can investigate.

1 Like
4

Now port 80 is open. Checking a not existing page in /.well-known/acme-challenge returns a “Sorry, page not found” - page in my browser.

5

Hello Jurgen,
Port 80 should have been open originally, however, the setting hadn’t “saved”, either clicking too quickly or not saving properly on my part, sorry to give you duff info, and thanks for checking.
However, you saying that and checking some things did give me an idea.
I traced it to the firewall on the Synology unit rejecting the connection from wherever Let’s Encrypts servers are located.
I disabled the firewall, ran the renew and it all worked OK, so I then re-enabled the firewall.
I am going to either have to do this every time I need to renew, or allow the country location through. I’m not sure where that is though, and, I am guessing it may change.
So, with a work around I am sorted.
I like your site though Jurgen, lots of good information there, lots of which, I don’t understand though!!! :wink:
Thanks again.
Paul

1 Like
6

This topic was automatically closed 30 days after the last reply. New replies are no longer allowed.